Field
Embodiments of the present invention generally relate to the field of cellular network technology. In particular, various embodiments relate to management of cellular data usage during Denial of Service (DoS) attacks.
Description of the Related Art
Nowadays, it is crucial for a company to maintain a reliable connection to the Internet without disruption. A private network of a company usually has more than one connection to the Internet so that a failover connection may maintain connectivity to the Internet when a primary Internet connection has failed.
FIG. 1 illustrates a typical prior art network architecture with wireless failover connections. As shown in FIG. 1, network security device 120 has a Local Area Network (LAN) port 124, which is used for connecting a local network. Network security device 120 also has a Wide Area Network (WAN) port 123, which is connected to a cable modem 122 which is usually provided by an Internet Service Provider (ISP). Cable modem 122 is used for connecting the local network to the Internet 150 through the ISP. Network security device 120 also has Third Generation (3G)/Fourth Generation (4G) modems 125 and 126 (and/or one or more Long Term Evolution (LTE) modems) as failover connections. 3G/4G modems 125 and 126 may be in the form of one or more Universal Serial Bus (USB) dongles that are inserted into a USB port of Network security device 120. When the primary Internet connection is lost as a result of a problem with cable modem 122 or the ISP, 3G/4G modem 125 or 126 may connect to the Internet 150 through a 3G/4G cellular network. To improve the 3G/4G connection, remote wireless adapters have been introduced so that a 3G/4G USB wireless modem may be connected to the network security device remotely. As shown in FIG. 1, remote wireless adapter 110 has 3G/4G modems 112 and 113 and an Ethernet port 111. Remote wireless adapter 110 may be placed at a remote place from network security device 120 where the 3G/4G signal is stronger than the 3G/4G signal observed at the location of network security device 120. Network security device 120 and remote wireless adapter 110 are connected through a cable between WAN port 121 of network security device 120 and Ethernet port 111 of remote wireless adapter 110. Remote wireless adapter 110 is another router besides cable modem 122. Public Internet Protocol (IP) addresses assigned to 3G/4G modems 112 and 113 by 3G/4G cellular network are sent to network security device 120. When the primary Internet connection of cable modem 122 is down, network security device 120 forwards all outgoing traffic to WAN port 121. The outgoing traffic is then forwarded to the Internet through 3G/4G modems 112 and 113 of remote wireless adapter 110.
Network security device 120, e.g., a firewall, is used for protecting the networks from attacks, e.g., malware, virus, Distributed DoS (DDoS) and the like. An administrator may deploy a network security appliance, e.g., network security device 120, at a border of a private network and configure a set of security policies in accordance with the needs of the private network. Network security device 120 then checks network traffic going through the private network based on the security policies. An action, e.g., allow, deny or deep scanning, may be taken to on network traffic when the traffic triggers a security policy. Network security device 120 may also detect DoS attacks by observing and tracking network traffic arriving at the private network. When one or more attributes of the network traffic exceed predetermined parameters, the DoS network traffic is blocked and normal network traffic is allowed to go through network security device 120.
When the private network is connected to the Internet through 3G/4G modems 112, 113, 125 or 126, network traffic is transmitted/received through cellular data networks. Typically, any data traffic transmitted via the cellular modems is counted towards a data plan usage of a carrier of a cellular network. During DoS attacks, a large amount of network traffic, due to the DoS attack, is received by the cellular modems. It may result in one or more of the following consequences:                i) Quick and unexpected overage of the subscribed Internet data plan.        ii) Inactive Internet connection once the subscribed limit of the Internet data plan is reached.        iii) Slow internet connectivity once the subscribed limit of high speed Internet data plan is reached as some carriers throttle the speeds to lower levels after reaching a certain limit.        iv) Footing an expensive bill for Internet data usage.        v) Poor Internet connectivity affecting the services received/offered, which rely primarily on the underlying cellular Internet.        
Therefore, there is a need for an effective management of cellular network data usage when an enterprise network is experiencing a DoS attack.